错误5021创建“托管服务帐户"; [英] Error 5021 creating a "Managed Service Account"
问题描述
我花了几天时间试图在Windows Server 2012上为.NET Web应用设置托管服务帐户".让我们从错误开始,然后倒退.
每次尝试访问网站上的页面时,都会收到以下事件,其中*是我的应用程序池的名称:
- 警告5021 -应用程序池*的标识无效.为该身份指定的用户名或密码可能不正确,或者该用户可能没有批量登录权限.如果标识不正确,则当应用程序池收到其第一个请求时,该应用程序池将被禁用.如果批处理登录权限引起了该问题,则必须在授予权限后更改IIS配置存储中的标识,然后Windows Process Activation Service(WAS)才能重试登录.如果在处理对应用程序池的第一个请求之后身份仍然无效,则将禁用该应用程序池.数据字段包含错误号.
- 警告5057 -应用程序池*已被禁用.Windows进程激活服务(WAS)未创建工作进程来为应用程序池提供服务,因为该应用程序池标识无效.
- 错误5059 -应用程序池*已被禁用.Windows进程激活服务(WAS)在启动工作进程为应用程序池提供服务时遇到故障.
~~~
在站着一台新服务器时,我遇到了一个以前从未使用过的很棒的功能:
由于我要使用新数据库来建立一个新应用程序,因此这似乎是一个绝佳的机会来开车兜风!
我最终想出了如何在域控制器上使用以下Power Shell命令创建托管服务帐户:
- 导入模块活动目录
- new-ADServiceAccount -SAMACCOUNTname" SERVICE_ACCT $ "
- add-adComputerServiceAccount-身份 SERVER_NAME SERVICE_ACCT $
在同一powershell窗口中,我可以使用以下powershell命令列出给定服务器的服务帐户:
- get-ADComputerServiceAccount SERVER_NAME
我的托管服务帐户在那里!到目前为止一切都很好...
然后,我不得不修改中央组策略,以将我的服务帐户包括在作为批处理作业登录"和作为服务登录"上.这些位于域控制器上的策略" \"Windows设置" \安全设置" \本地策略" \用户权限分配"下(由于被向下推送,因此在本地服务器上不可编辑).
更改和喝咖啡休息后,权限显示在我的服务器上!
因此,现在我(1)创建了一个托管服务帐户,该帐户已(2)被授予对特定服务器的访问权限,并且在该特定服务器(3)上,该服务帐户已作为批处理作业/服务权限登录.我还(4)为应用程序池和服务帐户都修改了对网站文件夹的访问权限.
我验证了该网站可以使用默认的AppPoolIdentity帐户.
然后...我仍然得到上面的错误(在整个过程中都遇到了).我必须丢失一些东西,但是我可以找到其他尝试的东西!
此致
摩托车
我不得不将它放在架子上一会儿,但最终能够使它正常工作.我发现最有用的资源是MSA上的以下YouTube.
http://www.youtube.com/watch?v=VNCGSQPhLuM
总而言之,有很多要求和步骤
域名要求:
- 域功能级别-Windows Server 2008R2 +
- 运行ADPrep/ForestPrep
客户要求:
- Windows Server 2008R2 +
- .Net Framework 3.5
- 用于Windows PowerShell的Active Directory模块(已随AD DS一起安装,但在此过程中我能够排除该模块以外的所有模块)
支持的软件:
- IIS-是(应用程序池)
- SQL Server-否
在要使用MSA的服务器上,导航至服务器管理器-功能-添加功能"
- 确认已安装3.5 Framework
- 确认已安装Windows PowerShell的Active Directory模块
在具有AD管理工具的任何服务器上,通过PowerShell:注意:我的MSA是 WorkProdDnnIIS ,而我的主机是 WorkProd2012 .
- C:>导入模块活动目录
- C:> New-ADServiceAccount -name WorkProdDnnIIS -启用$ true
- C:> Add-AdComputerServiceAccount-身份 WorkProd2012 -ServiceAccount WorkProdDnnIIS
在具有AD管理工具的任何服务器上,通过AD用户和计算机
- 新的MSA应该列在托管服务帐户"下
通过PowerShell
在要使用MSA的服务器上- C:>导入模块活动目录
- C:> Install-AdServiceAccount -Identity WorkProdDnnIIS
通过IIS管理器在要使用MSA的服务器上
- 更改应用程序池标识(例如,POWER \ WorkProdDnnIIS $-末尾需要美元符号,密码留空)
最后,IIS应用程序池的MSA需要允许作为批处理作业登录"和作为服务登录"的本地策略设置.我怀疑Install-ADServiceAccount会执行此操作,但是无法在本地进行这些更改.我在域控制器上手动编辑了组策略,以达到相同的最终结果.
此致
摩托车
I have spent several days trying to get a "managed service account" set up on Windows Server 2012 for a .NET web app. Let's start with the error and work backwards.
I get the following events ever time I try to access a page on the web site where * is the name of my app pool:
- Warning 5021 - The identity of application pool * is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
- Warning 5057 - Application pool * has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
- Error 5059 - Application pool * has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
~~~
While standing up a new server, I came across what appears to be an awesome feature which I had not used before:
Since I am standing up a new app with a new database, this seemed like the perfect opportunity to take this for a drive!
I eventually figured out how to create the managed service account with the following power shell commands on a domain controller:
- import-module activedirectory
- new-ADServiceAccount -SAMACCOUNTname "SERVICE_ACCT$"
- add-adComputerServiceAccount -Identity SERVER_NAME SERVICE_ACCT$
In the same powershell window, I can list services accounts for a given server with this powershell command:
- get-ADComputerServiceAccount SERVER_NAME
And my managed service account is there! All good so far ...
I then had to modify our central group policy to include my service account for "Log on as batch job" and "Log on as service". These were under Polices\Windows Settings\Security Settings\Local Policies\User Rights Assignment on our domain controller (these were not editable on the local server as these were being pushed down).
After the changes and a coffee break, the rights show up on my server!
So now I have (1) created a managed service account which has (2) been granted access to a specific server and on that specific server (3) the service account has log on as batch job/service rights. I also (4) gave both the app pool and service account modify access to the web site folder.
I verified the site works with the default AppPoolIdentity account.
And ... I still get the errors above (which I have had during this whole process). I have to be missing something, but I just can find anything else to try!
Regards,
Cooter
I had to put this on the shelf for a while, but was eventually able to get this working. The most helpful resource I found was the following YouTube on MSAs.
http://www.youtube.com/watch?v=VNCGSQPhLuM
To summarize, there are quite a few requirements and steps
Domain Requirements:
- Domain Function Level - Windows Server 2008R2+
- Run ADPrep/ForestPrep
Client Requirements:
- Windows Server 2008R2+
- .Net Framework 3.5
- Active Directory Module for Windows PowerShell (this gets installed with AD DS, but I was able to excluded all but the module during the process)
Supported Software:
- IIS - yes (app pools)
- SQL Server - no
On server where MSA is to be used, navigate to Server Manager - Features - Add features
- Confirm 3.5 Framework installed
- Confirm Active Directory Module for Windows PowerShell installed
On any server with AD administration tools, Via PowerShell: NOTE: My MSA is WorkProdDnnIIS and my host is WorkProd2012.
- C:> import-module activedirectory
- C:> New-ADServiceAccount -name WorkProdDnnIIS -enable $true
- C:> Add-AdComputerServiceAccount -Identity WorkProd2012 -ServiceAccount WorkProdDnnIIS
On any server with AD administration tools, via AD Users and Computers
- the new MSA should be listed under "Managed Service Accounts"
On server on which MSA is to be used, via PowerShell
- C:> import-module activedirectory
- C:> Install-AdServiceAccount -Identity WorkProdDnnIIS
On server on which MSA is to be used, via IIS Manager
- Change App Pool identity (e.g. POWER\WorkProdDnnIIS$ - Dollar sign required on end, leave password blank)
Lastly, the local policy settings to allow "Log on as batch job" and "Log on on as service" are required for the MSA for IIS app pools. I would suspect that the Install-ADServiceAccount would do this, however these changes could not be made locally. I manually edited the group policy on a domain controller to achieve the same end result.
Regards,
Cooter
这篇关于错误5021创建“托管服务帐户";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
